Is there a purpose for using pf if you have a hardware router/firewall?

I haven't started using pf yet, but I'm wondering if it would still be worth using if I already have a built-in firewall with my router and what the difference is between that and setting up a dedicated box as a pf firewall for everything to run through first before reaching any other computers on my network as opposed to not having one and just using the firewall router.

I haven't started using pf yet, but I'm wondering if it would still be worth using if I already have a built-in firewall with my router and what the difference is between that and setting up a dedicated box as a pf firewall for everything to run through first before reaching any other computers on my network as opposed to not having one and just using the firewall router.

Your main concerns should be:

1) The nature and volume of the expected traffic. Would you have a FTP, HTTP and/or SSH server? Would you do some p2p? Would you use an XBox?

2) The specifications of your network: would it link two desktop computers? More computers and a server? Or else?

3) The specifications of the router: is this a heavy-duty router or one you just bought from you favorite consumer hardware shop? Could it handle the nature and volume of your traffic?

Depending on your answers to 1), 2) and 3), my guess is that you might better scrap your router for a dedicated box (OpenBSD, FreeBSD or NetBSD), pf, AltQ and a switch instead.

Why use PF if you're not using OpenBSD as a router or bridge? Perhaps it's being used as a small server, or perhaps a workstation?

Filtering rules can be used to control access out, or access in.

Queue management rules can be used to shape outbound traffic

State table management rules can be used to manage and control inbound requests for services

Advanced UDP/TCP port redirection can be used for service management

You're probably familiar with filtering rules if you've ever used "personal firewall" software. The flexibility (and perhaps complexity) of PF rules typically allow more control over filtering than other firewall software.

Let's look at the other three features.

First, having used a SOHO NAT router, you may be familiar with "port forwarding" to expose services on your local network. This is a subset of the capabilities of PF port redirection rules. In particular, redirection to loopback can provide great flexibilty for virtual server control and management.

As for the last two features, I'm not aware of any SOHO router that can do traffic shaping (bandwidth control by application or network service) or inbound request rate control.

Keep your NAT router for the time being, and begin to learn how to use PF to your advantage. Eventually, you may sell your router and replace it with an OpenBSD platform. I did.

Of course, you have to learn how to install, configure, and maintain the applications that provide the aforementioned functionality, but that's some huge potential.

But I believe the choice is not based on feature-comparison, but rather love of the job- you like OpenBSD/PF for various reasons already and know that it would do the same job and more, so why not use it?

The Desktop gets a DHCP address (MAC-controlled) from the OBSD box that points it to the OBSD box for routing. The OBSD box is just a one-armed (single nic) NAT translator. The OBSD box picks up the packets from the Desktop, translates and filters them, then routes them out to the ADSL router, which NATs the packets one more time before routing them on to my ISP.

It's not the most network-efficient setup- but I have seen zero performance problems. I will eventually scale down what the ADSL router does in favor of the OBSD box (read: PPOE, NAT) and re-do the OBSD box with two nics, but for now, it's fine.

The OBSD box also fulfills the following functions with no discernible network latency-